On 5/7/2014 10:06 PM, Jan Just Keijser wrote:
> Hi Andris,
>
> On 08/05/14 03:32, Andris Kalnozols wrote:
>> The X.509 user certificates in our organization have Subject fields
>> that appear as in the following example:
>>
>> Subject: O=Hewlett-Packard Company, OU=WEB,
>> CN=GivenName Surname/emailAddress=u...@hp.com
>>
>> Since the Common Name (CN) attribute is not guaranteed to be unique
>> across the company but the "emailAddress" attribute is, I was very
>> glad to see the availablity of the "--x509-username-field" option.
>>
>> However, the following code in src/openvpn/options.c prevents the
>> option from working as intended:
>>
>>> #ifdef ENABLE_X509ALTUSERNAME
>>> else if (streq (p[0], "x509-username-field") && p[1])
>>> {
>>> char *s = p[1];
>>> VERIFY_PERMISSION (OPT_P_GENERAL);
>>> ??? if( strncmp ("ext:",s,4) != 0 )
>>> ??? while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if
>>> necessary */
>>> options->x509_username_field = p[1];
>>> }
>>> #endif /* ENABLE_X509ALTUSERNAME */
>> RFC 2985 specifies that the emailAddress attribute is case-insensitive:
>>
>>> emailAddress ATTRIBUTE ::= {
>>> WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
>>> EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
>>> ID pkcs-9-at-emailAdress
>>> }
>> While the "pkcs9CaseIgnoreMatch" match rule probably refers to the
>> email address(es) to which the attribute point(s), I can find no
>> requirement in the RFCs which require that the attributes themselves
>> be prefixed with "ext:" to preserve their character case when being
>> matched by an X.509 application. I think the "if" statement needs
>> to be removed.
>>
>>
> I'm not one the core developers of openvpn, but I think I've read the
> code often enough.
> The way I see the openvpn code is as this:
> if the x509-username-field starts with "ext:" then uppercase the
> entire attribute name.
> This means that openvpn will do a case-insensitive match for this
> particular attribute *name* in a certificate *extension* (e.g a
> subjectAltName extension)
>
> Without "ext:" openvpn will do a case sensitive match in the full
> certificate DN (e.g. /emailAddress=.....)
> There's no reason for openvpn to do a case insensitive match here - that
> would mean that there are two simultaneous connections with two
> certificates DNs
> /emailAddress=j...@example.com
> /emailAddress=j...@example.com
> which need to be matched/merged - this can not happen , as far as I
> understand.
>
> If extended validation (user auth) based on /emailAddress= is necessary
> then a 'tls-verify' script can be used to do a case insensitive check.
Many thanks, Jan, for the explanation. My intuition told me that the
"ext:" tag was to accommodate X.509 extensions but speed-reading through
concentrated RFCs trying to find the relevant specification that matches
this OpenVPN scenario is difficult to do in addition to $DayJob. ;-)
However, the statement that "if the x509-username-field starts with
"ext:" then uppercase the entire attribute name" would only be true
if the string comparison returned zero, i.e.,
if (strncmp("ext:", s, 4) == 0)
This would also solve the problem quite nicely and allow me have
x509-username-field emailAddress
in my OpenVPN configuration file.
Regards,
Andris
